testing

2022-01-15 08:31:17 +02:00 · 2022-01-15 08:31:17 +02:00 · 2b6418a132
parent 43e2aedbd2
commit 2b6418a132
13 changed files with 101 additions and 109 deletions
--- a/files/main.py
+++ b/files/main.py
@ -74,6 +74,7 @@ limiter = Limiter(
 	app,
 	key_func=get_ipaddr,
 	default_limits=["3/second;30/minute;200/hour;1000/day"],
+	application_limits=["5/second;100/minute;5000/hour;10000/day"],
 	headers_enabled=True,
 	strategy="fixed-window"
 )
--- a/files/mail/init.py
+++ b/files/mail/init.py
@ -41,7 +41,7 @@ def send_verification_email(user, email=None):


@app.post("/verify_email")
-@limiter.limit("1/second")
+@limiter.limit("1/second;30/minute;200/hour;1000/day")
@auth_required
 def api_verify_email(v):

--- a/files/routes/admin.py
+++ b/files/routes/admin.py
@ -31,7 +31,7 @@ month = datetime.now().strftime('%B')


@app.post("/@<username>/make_admin")
-@limiter.limit("1/second")
+@limiter.limit("1/second;30/minute;200/hour;1000/day")
@admin_level_required(3)
 def make_admin(v, username):
 	if request.host == 'rdrama.net': abort(403)
@ -44,7 +44,7 @@ def make_admin(v, username):


@app.post("/@<username>/remove_admin")
-@limiter.limit("1/second")
+@limiter.limit("1/second;30/minute;200/hour;1000/day")
@admin_level_required(3)
 def remove_admin(v, username):
 	user = get_user(username)
@ -55,7 +55,7 @@ def remove_admin(v, username):
 	return {"message": "Admin removed!"}

@app.post("/distribute/<comment>")
-@limiter.limit("1/second")
+@limiter.limit("1/second;30/minute;200/hour;1000/day")
@admin_level_required(3)
 def distribute(v, comment):
 	try: comment = int(comment)
@ -90,7 +90,7 @@ def distribute(v, comment):
 	return {"message": f"Each winner has received {coinsperperson} coins!"}

@app.post("/@<username>/revert_actions")
-@limiter.limit("1/second")
+@limiter.limit("1/second;30/minute;200/hour;1000/day")
@admin_level_required(3)
 def revert_actions(v, username):
 	user = get_user(username)
@ -128,7 +128,7 @@ def revert_actions(v, username):
 	return {"message": "Admin actions reverted!"}

@app.post("/@<username>/club_allow")
-@limiter.limit("1/second")
+@limiter.limit("1/second;30/minute;200/hour;1000/day")
@admin_level_required(2)
 def club_allow(v, username):

@ -149,7 +149,7 @@ def club_allow(v, username):
 	return {"message": f"@{username} has been allowed into the {cc}!"}

@app.post("/@<username>/club_ban")
-@limiter.limit("1/second")
+@limiter.limit("1/second;30/minute;200/hour;1000/day")
@admin_level_required(2)
 def club_ban(v, username):

@ -170,7 +170,7 @@ def club_ban(v, username):


@app.post("/@<username>/make_meme_admin")
-@limiter.limit("1/second")
+@limiter.limit("1/second;30/minute;200/hour;1000/day")
@admin_level_required(2)
 def make_meme_admin(v, username):
 	if request.host == 'pcmemes.net' or (SITE_NAME == 'Drama' and v.admin_level > 2) or (request.host != 'rdrama.net' and request.host != 'pcmemes.net'):
@ -183,7 +183,7 @@ def make_meme_admin(v, username):


@app.post("/@<username>/remove_meme_admin")
-@limiter.limit("1/second")
+@limiter.limit("1/second;30/minute;200/hour;1000/day")
@admin_level_required(2)
 def remove_meme_admin(v, username):
 	if request.host == 'pcmemes.net' or (SITE_NAME == 'Drama' and v.admin_level > 2) or (request.host != 'rdrama.net' and request.host != 'pcmemes.net'):
@ -238,7 +238,7 @@ def get_sidebar(v):


@app.post('/admin/sidebar')
-@limiter.limit("1/second")
+@limiter.limit("1/second;30/minute;200/hour;1000/day")
@admin_level_required(3)
 def post_sidebar(v):

@ -413,7 +413,7 @@ def badge_grant_get(v):


@app.post("/admin/badge_grant")
-@limiter.limit("1/second")
+@limiter.limit("1/second;30/minute;200/hour;1000/day")
@admin_level_required(2)
 def badge_grant_post(v):
 	user = get_user(request.values.get("username").strip(), graceful=True)
@ -452,7 +452,7 @@ def badge_remove_get(v):


@app.post("/admin/badge_remove")
-@limiter.limit("1/second")
+@limiter.limit("1/second;30/minute;200/hour;1000/day")
@admin_level_required(2)
 def badge_remove_post(v):
 	user = get_user(request.values.get("username").strip(), graceful=True)
@ -602,7 +602,7 @@ def alt_votes_get(v):


@app.post("/admin/link_accounts")
-@limiter.limit("1/second")
+@limiter.limit("1/second;30/minute;200/hour;1000/day")
@admin_level_required(2)
 def admin_link_accounts(v):

@ -725,7 +725,7 @@ def agendaposter(user_id, v):


@app.post("/shadowban/<user_id>")
-@limiter.limit("1/second")
+@limiter.limit("1/second;30/minute;200/hour;1000/day")
@admin_level_required(2)
 def shadowban(user_id, v):
 	user = g.db.query(User).filter_by(id=user_id).one_or_none()
@ -750,7 +750,7 @@ def shadowban(user_id, v):


@app.post("/unshadowban/<user_id>")
-@limiter.limit("1/second")
+@limiter.limit("1/second;30/minute;200/hour;1000/day")
@admin_level_required(2)
 def unshadowban(user_id, v):
 	user = g.db.query(User).filter_by(id=user_id).one_or_none()
@ -776,7 +776,7 @@ def unshadowban(user_id, v):
 	return {"message": "User unshadowbanned!"}

@app.post("/admin/verify/<user_id>")
-@limiter.limit("1/second")
+@limiter.limit("1/second;30/minute;200/hour;1000/day")
@admin_level_required(2)
 def verify(user_id, v):
 	user = g.db.query(User).filter_by(id=user_id).one_or_none()
@ -794,7 +794,7 @@ def verify(user_id, v):
 	return {"message": "User verfied!"}

@app.post("/admin/unverify/<user_id>")
-@limiter.limit("1/second")
+@limiter.limit("1/second;30/minute;200/hour;1000/day")
@admin_level_required(2)
 def unverify(user_id, v):
 	user = g.db.query(User).filter_by(id=user_id).one_or_none()
@ -813,7 +813,7 @@ def unverify(user_id, v):


@app.post("/admin/title_change/<user_id>")
-@limiter.limit("1/second")
+@limiter.limit("1/second;30/minute;200/hour;1000/day")
@admin_level_required(2)
 def admin_title_change(user_id, v):

@ -844,7 +844,7 @@ def admin_title_change(user_id, v):
 	return redirect(user.url)

@app.post("/ban_user/<user_id>")
-@limiter.limit("1/second")
+@limiter.limit("1/second;30/minute;200/hour;1000/day")
@admin_level_required(2)
 def ban_user(user_id, v):
 	
@ -906,7 +906,7 @@ def ban_user(user_id, v):


@app.post("/unban_user/<user_id>")
-@limiter.limit("1/second")
+@limiter.limit("1/second;30/minute;200/hour;1000/day")
@admin_level_required(2)
 def unban_user(user_id, v):

@ -945,7 +945,7 @@ def unban_user(user_id, v):


@app.post("/ban_post/<post_id>")
-@limiter.limit("1/second")
+@limiter.limit("1/second;30/minute;200/hour;1000/day")
@admin_level_required(2)
 def ban_post(post_id, v):

@ -981,7 +981,7 @@ def ban_post(post_id, v):


@app.post("/unban_post/<post_id>")
-@limiter.limit("1/second")
+@limiter.limit("1/second;30/minute;200/hour;1000/day")
@admin_level_required(2)
 def unban_post(post_id, v):

@ -1129,7 +1129,7 @@ def unsticky_comment(cid, v):


@app.post("/ban_comment/<c_id>")
-@limiter.limit("1/second")
+@limiter.limit("1/second;30/minute;200/hour;1000/day")
@admin_level_required(2)
 def api_ban_comment(c_id, v):

@ -1152,7 +1152,7 @@ def api_ban_comment(c_id, v):


@app.post("/unban_comment/<c_id>")
-@limiter.limit("1/second")
+@limiter.limit("1/second;30/minute;200/hour;1000/day")
@admin_level_required(2)
 def api_unban_comment(c_id, v):

@ -1212,7 +1212,7 @@ def admin_banned_domains(v):
 	return render_template("admin/banned_domains.html", v=v, banned_domains=banned_domains)

@app.post("/admin/banned_domains")
-@limiter.limit("1/second")
+@limiter.limit("1/second;30/minute;200/hour;1000/day")
@admin_level_required(2)
 def admin_toggle_ban_domain(v):

@ -1247,7 +1247,7 @@ def admin_toggle_ban_domain(v):


@app.post("/admin/nuke_user")
-@limiter.limit("1/second")
+@limiter.limit("1/second;30/minute;200/hour;1000/day")
@admin_level_required(2)
 def admin_nuke_user(v):

@ -1280,7 +1280,7 @@ def admin_nuke_user(v):


@app.post("/admin/unnuke_user")
-@limiter.limit("1/second")
+@limiter.limit("1/second;30/minute;200/hour;1000/day")
@admin_level_required(2)
 def admin_nunuke_user(v):

--- a/files/routes/awards.py
+++ b/files/routes/awards.py
@ -176,7 +176,7 @@ def buy(v, award):

@app.get("/post/<pid>/awards")
@app.post("/post/<pid>/awards")
-@limiter.limit("1/second")
+@limiter.limit("1/second;30/minute;200/hour;1000/day")
@auth_required
 def award_post(pid, v):

@ -362,7 +362,7 @@ def award_post(pid, v):

@app.get("/comment/<cid>/awards")
@app.post("/comment/<cid>/awards")
-@limiter.limit("1/second")
+@limiter.limit("1/second;30/minute;200/hour;1000/day")
@auth_required
 def award_comment(cid, v):

@ -553,7 +553,7 @@ def admin_userawards_get(v):
 	return render_template("admin/awards.html", awards=list(AWARDS.values()), v=v) 

@app.post("/admin/awards")
-@limiter.limit("1/second")
+@limiter.limit("1/second;30/minute;200/hour;1000/day")
@admin_level_required(2)
 def admin_userawards_post(v):

--- a/files/routes/comments.py
+++ b/files/routes/comments.py
@ -130,8 +130,7 @@ def post_pid_comment_cid(cid, pid=None, anything=None, v=None):


@app.post("/comment")
-@limiter.limit("1/second")
-@limiter.limit("6/minute")
+@limiter.limit("1/second;6/minute;200/hour;1000/day")
@auth_required
 def api_comment(v):
 	if v.is_suspended: return {"error": "You can't perform this action while banned."}, 403
@ -524,7 +523,7 @@ def api_comment(v):


@app.post("/edit_comment/<cid>")
-@limiter.limit("1/second")
+@limiter.limit("1/second;30/minute;200/hour;1000/day")
@auth_required
 def edit_comment(cid, v):
 	if v and v.patron:
@ -696,7 +695,7 @@ def edit_comment(cid, v):


@app.post("/delete/comment/<cid>")
-@limiter.limit("1/second")
+@limiter.limit("1/second;30/minute;200/hour;1000/day")
@auth_required
 def delete_comment(cid, v):

@ -717,7 +716,7 @@ def delete_comment(cid, v):
 	return {"message": "Comment deleted!"}

@app.post("/undelete/comment/<cid>")
-@limiter.limit("1/second")
+@limiter.limit("1/second;30/minute;200/hour;1000/day")
@auth_required
 def undelete_comment(cid, v):

@ -781,7 +780,7 @@ def unpin_comment(cid, v):
 	return {"message": "Comment unpinned!"}

@app.post("/save_comment/<cid>")
-@limiter.limit("1/second")
+@limiter.limit("1/second;30/minute;200/hour;1000/day")
@auth_required
 def save_comment(cid, v):

@ -799,7 +798,7 @@ def save_comment(cid, v):
 	return {"message": "Comment saved!"}

@app.post("/unsave_comment/<cid>")
-@limiter.limit("1/second")
+@limiter.limit("1/second;30/minute;200/hour;1000/day")
@auth_required
 def unsave_comment(cid, v):

--- a/files/routes/login.py
+++ b/files/routes/login.py
@ -73,8 +73,7 @@ def check_for_alts(current_id):


@app.post("/login")
-@limiter.limit("1/second")
-@limiter.limit("6/minute")
+@limiter.limit("1/second;6/minute;200/hour;1000/day")
 def login_post():
 	template = ''

@ -154,7 +153,7 @@ def me(v):


@app.post("/logout")
-@limiter.limit("1/second")
+@limiter.limit("1/second;30/minute;200/hour;1000/day")
@auth_required
 def logout(v):

@ -208,8 +207,7 @@ def sign_up_get(v):


@app.post("/signup")
-@limiter.limit("1/second")
-@limiter.limit("5/day")
+@limiter.limit("1/minute;5/day")
@auth_desired
 def sign_up_post(v):
 	with open('disable_signups', 'r') as f:
@ -351,7 +349,7 @@ def get_forgot():


@app.post("/forgot")
-@limiter.limit("1/second")
+@limiter.limit("1/second;30/minute;200/hour;1000/day")
 def post_forgot():

 	username = request.values.get("username").lstrip('@')
@ -410,7 +408,7 @@ def get_reset():


@app.post("/reset")
-@limiter.limit("1/second")
+@limiter.limit("1/second;30/minute;200/hour;1000/day")
@auth_desired
 def post_reset(v):
 	if v: return redirect('/')
@ -463,8 +461,7 @@ def lost_2fa(v):
 		)

@app.post("/request_2fa_disable")
-@limiter.limit("1/second")
-@limiter.limit("6/minute")
+@limiter.limit("1/second;6/minute;200/hour;1000/day")
 def request_2fa_disable():

 	username=request.values.get("username")
--- a/files/routes/oauth.py
+++ b/files/routes/oauth.py
@ -17,7 +17,7 @@ def authorize_prompt(v):


@app.post("/authorize")
-@limiter.limit("1/second")
+@limiter.limit("1/second;30/minute;200/hour;1000/day")
@auth_required
 def authorize(v):

@ -35,7 +35,7 @@ def authorize(v):


@app.post("/api_keys")
-@limiter.limit("1/second")
+@limiter.limit("1/second;30/minute;200/hour;1000/day")
@is_not_permabanned
 def request_api_keys(v):

@ -72,7 +72,7 @@ def request_api_keys(v):


@app.post("/delete_app/<aid>")
-@limiter.limit("1/second")
+@limiter.limit("1/second;30/minute;200/hour;1000/day")
@auth_required
 def delete_oauth_app(v, aid):

@ -92,7 +92,7 @@ def delete_oauth_app(v, aid):


@app.post("/edit_app/<aid>")
-@limiter.limit("1/second")
+@limiter.limit("1/second;30/minute;200/hour;1000/day")
@is_not_permabanned
 def edit_oauth_app(v, aid):

@ -113,7 +113,7 @@ def edit_oauth_app(v, aid):


@app.post("/admin/app/approve/<aid>")
-@limiter.limit("1/second")
+@limiter.limit("1/second;30/minute;200/hour;1000/day")
@admin_level_required(2)
 def admin_app_approve(v, aid):

@ -147,7 +147,7 @@ def admin_app_approve(v, aid):


@app.post("/admin/app/revoke/<aid>")
-@limiter.limit("1/second")
+@limiter.limit("1/second;30/minute;200/hour;1000/day")
@admin_level_required(2)
 def admin_app_revoke(v, aid):

@ -172,7 +172,7 @@ def admin_app_revoke(v, aid):


@app.post("/admin/app/reject/<aid>")
-@limiter.limit("1/second")
+@limiter.limit("1/second;30/minute;200/hour;1000/day")
@admin_level_required(2)
 def admin_app_reject(v, aid):

@ -261,7 +261,7 @@ def admin_apps_list(v):


@app.post("/oauth/reroll/<aid>")
-@limiter.limit("1/second")
+@limiter.limit("1/second;30/minute;200/hour;1000/day")
@auth_required
 def reroll_oauth_tokens(aid, v):

--- a/files/routes/posts.py
+++ b/files/routes/posts.py
@ -50,7 +50,7 @@ def toggle_club(pid, v):


@app.post("/publish/<pid>")
-@limiter.limit("1/second")
+@limiter.limit("1/second;30/minute;200/hour;1000/day")
@auth_required
 def publish(pid, v):
 	post = get_post(pid)
@ -236,7 +236,7 @@ def post_id(pid, anything=None, v=None):
 		return render_template(template, v=v, p=post, sort=sort, render_replies=True, offset=offset)

@app.post("/viewmore/<pid>/<sort>/<offset>")
-@limiter.limit("1/second")
+@limiter.limit("1/second;30/minute;200/hour;1000/day")
@auth_required
 def viewmore(v, pid, sort, offset):
 	offset = int(offset)
@ -336,7 +336,7 @@ def viewmore(v, pid, sort, offset):


@app.post("/morecomments/<cid>")
-@limiter.limit("1/second")
+@limiter.limit("1/second;30/minute;200/hour;1000/day")
@auth_required
 def morecomments(v, cid):
 	tcid = g.db.query(Comment.top_comment_id).filter_by(id=cid).one_or_none()[0]
@ -384,7 +384,7 @@ def morecomments(v, cid):
 	return render_template("comments.html", v=v, comments=comments, render_replies=True)

@app.post("/edit_post/<pid>")
-@limiter.limit("1/second")
+@limiter.limit("1/second;30/minute;200/hour;1000/day")
@auth_required
 def edit_post(pid, v):
 	if v and v.patron:
@ -681,8 +681,7 @@ def thumbnail_thread(pid):


@app.post("/submit")
-@limiter.limit("1/second")
-@limiter.limit("6/minute")
+@limiter.limit("1/second;6/minute;200/hour;1000/day")
@auth_required
 def submit_post(v):
 	if v.is_suspended: return {"error": "You can't perform this action while banned."}, 403
@ -1132,7 +1131,7 @@ def submit_post(v):


@app.post("/delete_post/<pid>")
-@limiter.limit("2/second")
+@limiter.limit("1/second;30/minute;200/hour;1000/day")
@auth_required
 def delete_post_pid(pid, v):

@ -1153,7 +1152,7 @@ def delete_post_pid(pid, v):
 	return {"message": "Post deleted!"}

@app.post("/undelete_post/<pid>")
-@limiter.limit("1/second")
+@limiter.limit("1/second;30/minute;200/hour;1000/day")
@auth_required
 def undelete_post_pid(pid, v):
 	post = get_post(pid)
@ -1208,7 +1207,7 @@ def toggle_post_nsfw(pid, v):
 	else: return {"message": "Post has been unmarked as +18!"}

@app.post("/save_post/<pid>")
-@limiter.limit("1/second")
+@limiter.limit("1/second;30/minute;200/hour;1000/day")
@auth_required
 def save_post(pid, v):

@ -1224,7 +1223,7 @@ def save_post(pid, v):
 	return {"message": "Post saved!"}

@app.post("/unsave_post/<pid>")
-@limiter.limit("1/second")
+@limiter.limit("1/second;30/minute;200/hour;1000/day")
@auth_required
 def unsave_post(pid, v):

--- a/files/routes/reporting.py
+++ b/files/routes/reporting.py
@ -6,7 +6,7 @@ from os import path
 from files.helpers.sanitize import filter_emojis_only

@app.post("/report/post/<pid>")
-@limiter.limit("1/second")
+@limiter.limit("1/second;30/minute;200/hour;1000/day")
@auth_required
 def api_flag_post(pid, v):

@ -36,7 +36,7 @@ def api_flag_post(pid, v):


@app.post("/report/comment/<cid>")
-@limiter.limit("1/second")
+@limiter.limit("1/second;30/minute;200/hour;1000/day")
@auth_required
 def api_flag_comment(cid, v):

@ -60,7 +60,7 @@ def api_flag_comment(cid, v):


@app.post('/del_report/<report_fn>')
-@limiter.limit("1/second")
+@limiter.limit("1/second;30/minute;200/hour;1000/day")
@admin_level_required(2)
 def remove_report(report_fn, v):

--- a/files/routes/settings.py
+++ b/files/routes/settings.py
@ -34,7 +34,7 @@ tiers={
 	}

@app.post("/settings/removebackground")
-@limiter.limit("1/second")
+@limiter.limit("1/second;30/minute;200/hour;1000/day")
@auth_required
 def removebackground(v):
 	v.background = None
@ -43,7 +43,7 @@ def removebackground(v):
 	return {"message": "Background removed!"}

@app.post("/settings/profile")
-@limiter.limit("1/second")
+@limiter.limit("1/second;30/minute;200/hour;1000/day")
@auth_required
 def settings_profile_post(v):
 	if v and v.patron:
@ -409,7 +409,7 @@ def changelogsub(v):
 	else: return {"message": "You have unsubscribed from the changelog!"}

@app.post("/settings/namecolor")
-@limiter.limit("1/second")
+@limiter.limit("1/second;30/minute;200/hour;1000/day")
@auth_required
 def namecolor(v):

@ -422,7 +422,7 @@ def namecolor(v):
 	return redirect("/settings/profile")
 	
@app.post("/settings/themecolor")
-@limiter.limit("1/second")
+@limiter.limit("1/second;30/minute;200/hour;1000/day")
@auth_required
 def themecolor(v):

@ -435,7 +435,7 @@ def themecolor(v):
 	return redirect("/settings/profile")

@app.post("/settings/gumroad")
-@limiter.limit("1/second")
+@limiter.limit("1/second;30/minute;200/hour;1000/day")
@auth_required
 def gumroad(v):
 	if SITE_NAME == 'Drama': patron = 'Paypig'
@ -487,7 +487,7 @@ def gumroad(v):
 	return {"message": f"{patron} rewards claimed!"}

@app.post("/settings/titlecolor")
-@limiter.limit("1/second")
+@limiter.limit("1/second;30/minute;200/hour;1000/day")
@auth_required
 def titlecolor(v):

@ -500,7 +500,7 @@ def titlecolor(v):
 	return redirect("/settings/profile")

@app.post("/settings/verifiedcolor")
-@limiter.limit("1/second")
+@limiter.limit("1/second;30/minute;200/hour;1000/day")
@auth_required
 def verifiedcolor(v):
 	verifiedcolor = str(request.values.get("verifiedcolor", "")).strip()
@ -512,7 +512,7 @@ def verifiedcolor(v):
 	return redirect("/settings/profile")

@app.post("/settings/security")
-@limiter.limit("1/second")
+@limiter.limit("1/second;30/minute;200/hour;1000/day")
@auth_required
 def settings_security_post(v):
 	if request.values.get("new_password"):
@ -595,7 +595,7 @@ def settings_security_post(v):
 		return render_template("settings_security.html", v=v, msg="Two-factor authentication disabled.")

@app.post("/settings/log_out_all_others")
-@limiter.limit("1/second")
+@limiter.limit("1/second;30/minute;200/hour;1000/day")
@auth_required
 def settings_log_out_others(v):

@ -616,7 +616,7 @@ def settings_log_out_others(v):


@app.post("/settings/images/profile")
-@limiter.limit("1/second")
+@limiter.limit("1/second;30/minute;200/hour;1000/day")
@auth_required
 def settings_images_profile(v):
 	if v and v.patron:
@ -651,7 +651,7 @@ def settings_images_profile(v):


@app.post("/settings/images/banner")
-@limiter.limit("1/second")
+@limiter.limit("1/second;30/minute;200/hour;1000/day")
@auth_required
 def settings_images_banner(v):
 	if v and v.patron:
@ -676,7 +676,7 @@ def settings_images_banner(v):


@app.post("/settings/delete/profile")
-@limiter.limit("1/second")
+@limiter.limit("1/second;30/minute;200/hour;1000/day")
@auth_required
 def settings_delete_profile(v):

@ -689,7 +689,7 @@ def settings_delete_profile(v):
 						   msg="Profile picture successfully removed.")

@app.post("/settings/delete/banner")
-@limiter.limit("1/second")
+@limiter.limit("1/second;30/minute;200/hour;1000/day")
@auth_required
 def settings_delete_banner(v):

@ -714,7 +714,7 @@ def settings_css_get(v):
 	return render_template("settings_css.html", v=v)

@app.post("/settings/css")
-@limiter.limit("1/second")
+@limiter.limit("1/second;30/minute;200/hour;1000/day")
@auth_required
 def settings_css(v):
 	if v.agendaposter: return {"error": "Agendapostered users can't edit css!"}
@ -734,7 +734,7 @@ def settings_profilecss_get(v):
 	return render_template("settings_profilecss.html", v=v)

@app.post("/settings/profilecss")
-@limiter.limit("1/second")
+@limiter.limit("1/second;30/minute;200/hour;1000/day")
@auth_required
 def settings_profilecss(v):
 	if v.truecoins < 1000 and not v.patron: return f"You must have +1000 {COINS_NAME} or be a paypig to set profile css."
@ -746,7 +746,7 @@ def settings_profilecss(v):
 	return render_template("settings_profilecss.html", v=v)

@app.post("/settings/block")
-@limiter.limit("1/second")
+@limiter.limit("1/second;30/minute;200/hour;1000/day")
@auth_required
 def settings_block_user(v):

@ -780,7 +780,7 @@ def settings_block_user(v):


@app.post("/settings/unblock")
-@limiter.limit("1/second")
+@limiter.limit("1/second;30/minute;200/hour;1000/day")
@auth_required
 def settings_unblock_user(v):

@ -809,7 +809,7 @@ def settings_apps(v):


@app.post("/settings/remove_discord")
-@limiter.limit("1/second")
+@limiter.limit("1/second;30/minute;200/hour;1000/day")
@auth_required
 def settings_remove_discord(v):

@ -829,7 +829,7 @@ def settings_content_get(v):
 	return render_template("settings_filters.html", v=v)

@app.post("/settings/name_change")
-@limiter.limit("1/second")
+@limiter.limit("1/second;30/minute;200/hour;1000/day")
@is_not_permabanned
 def settings_name_change(v):

@ -873,7 +873,7 @@ def settings_name_change(v):
 	return redirect("/settings/profile")

@app.post("/settings/song_change")
-@limiter.limit("5/day;1/second")
+@limiter.limit("1/second;5/day")
@auth_required
 def settings_song_change(v):
 	song=request.values.get("song").strip()
@ -951,7 +951,7 @@ def settings_song_change(v):
 	return redirect("/settings/profile")

@app.post("/settings/title_change")
-@limiter.limit("1/second")
+@limiter.limit("1/second;30/minute;200/hour;1000/day")
@auth_required
 def settings_title_change(v):

--- a/files/routes/static.py
+++ b/files/routes/static.py
@ -262,8 +262,7 @@ def contact(v):
 	return render_template("contact.html", v=v)

@app.post("/send_admin")
-@limiter.limit("1/second")
-@limiter.limit("6/hour")
+@limiter.limit("1/second;2/minute;6/hour;10/day")
@auth_required
 def submit_contact(v):
 	body = request.values.get("message")
--- a/files/routes/users.py
+++ b/files/routes/users.py
@ -133,7 +133,7 @@ def downvoting(v, username):
 	return render_template("voters.html", v=v, users=users, name='Down', name2=f'Who @{username} hates')

@app.post("/pay_rent")
-@limiter.limit("1/second")
+@limiter.limit("1/second;30/minute;200/hour;1000/day")
@auth_required
 def pay_rent(v):
 	if v.coins < 500: return {"error":"You must have more than 500 coins."}
@ -149,7 +149,7 @@ def pay_rent(v):


@app.post("/steal")
-@limiter.limit("1/second")
+@limiter.limit("1/second;30/minute;200/hour;1000/day")
@auth_required
 def steal(v):
 	if int(time.time()) - v.created_utc < 604800:
@ -203,7 +203,7 @@ def thiefs(v):


@app.post("/@<username>/suicide")
-@limiter.limit("1/second")
+@limiter.limit("1/second;30/minute;200/hour;1000/day")
@auth_required
 def suicide(v, username):
 	t = int(time.time())
@ -225,7 +225,7 @@ def get_coins(v, username):
 	else: return {"error": "invalid_user"}, 404

@app.post("/@<username>/transfer_coins")
-@limiter.limit("1/second")
+@limiter.limit("1/second;30/minute;200/hour;1000/day")
@is_not_permabanned
 def transfer_coins(v, username):
 	receiver = g.db.query(User).filter_by(username=username).one_or_none()
@ -262,7 +262,7 @@ def transfer_coins(v, username):


@app.post("/@<username>/transfer_bux")
-@limiter.limit("1/second")
+@limiter.limit("1/second;30/minute;200/hour;1000/day")
@is_not_permabanned
 def transfer_bux(v, username):
 	receiver = g.db.query(User).filter_by(username=username).one_or_none()
@ -367,7 +367,7 @@ def song(song):
 	return resp

@app.post("/subscribe/<post_id>")
-@limiter.limit("1/second")
+@limiter.limit("1/second;30/minute;200/hour;1000/day")
@auth_required
 def subscribe(v, post_id):
 	new_sub = Subscription(user_id=v.id, submission_id=post_id)
@ -376,7 +376,7 @@ def subscribe(v, post_id):
 	return {"message": "Post subscribed!"}
 	
@app.post("/unsubscribe/<post_id>")
-@limiter.limit("1/second")
+@limiter.limit("1/second;30/minute;200/hour;1000/day")
@auth_required
 def unsubscribe(v, post_id):
 	sub=g.db.query(Subscription).filter_by(user_id=v.id, submission_id=post_id).one_or_none()
@ -391,8 +391,7 @@ def reportbugs(v):
 	return redirect(f'/post/{BUG_THREAD}')

@app.post("/@<username>/message")
-@limiter.limit("1/second")
-@limiter.limit("10/hour")
+@limiter.limit("1/second;2/minute;10/hour;50/day")
@is_not_permabanned
 def message2(v, username):

@ -458,9 +457,7 @@ def message2(v, username):


@app.post("/reply")
-@limiter.limit("1/second")
-@limiter.limit("6/minute")
-@limiter.limit("50/hour")
+@limiter.limit("1/second;6/minute;50/hour;200/day")
@auth_required
 def messagereply(v):

@ -795,7 +792,7 @@ def u_username_info(username, v=None):


@app.post("/follow/<username>")
-@limiter.limit("1/second")
+@limiter.limit("1/second;30/minute;200/hour;1000/day")
@auth_required
 def follow_user(username, v):

@ -819,7 +816,7 @@ def follow_user(username, v):
 	return {"message": "User followed!"}

@app.post("/unfollow/<username>")
-@limiter.limit("1/second")
+@limiter.limit("1/second;30/minute;200/hour;1000/day")
@auth_required
 def unfollow_user(username, v):

@ -843,7 +840,7 @@ def unfollow_user(username, v):
 	return {"message": "User unfollowed!"}

@app.post("/remove_follow/<username>")
-@limiter.limit("1/second")
+@limiter.limit("1/second;30/minute;200/hour;1000/day")
@auth_required
 def remove_follow(username, v):
 	target = get_user(username)
--- a/files/routes/votes.py
+++ b/files/routes/votes.py
@ -10,7 +10,7 @@ from os import environ
 defaultcolor = environ.get("DEFAULT_COLOR").strip()

@app.get("/votes")
-@limiter.limit("5/second;60/minute;200/hour")
+@limiter.limit("5/second;60/minute;200/hour;1000/day")
@auth_required
 def admin_vote_info_get(v):
 	link = request.values.get("link")
@ -65,7 +65,7 @@ def admin_vote_info_get(v):


@app.post("/vote/post/<post_id>/<new>")
-@limiter.limit("5/second;60/minute;600/hour")
+@limiter.limit("5/second;60/minute;600/hour;1000/day")
@auth_required
 def api_vote_post(post_id, new, v):

@ -123,7 +123,7 @@ def api_vote_post(post_id, new, v):
 	return "", 204

@app.post("/vote/comment/<comment_id>/<new>")
-@limiter.limit("5/second;60/minute;600/hour")
+@limiter.limit("5/second;60/minute;600/hour;1000/day")
@auth_required
 def api_vote_comment(comment_id, new, v):

@ -224,7 +224,7 @@ def api_vote_poll(comment_id, v):


@app.post("/bet/<comment_id>")
-@limiter.limit("1/second")
+@limiter.limit("1/second;30/minute;200/hour;1000/day")
@auth_required
 def bet(comment_id, v):